Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix container cgroup under cgroupfs #4080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrunalp merged 1 commit into from
Aug 19, 2020
Merged

Fix container cgroup under cgroupfs #4080

mrunalp merged 1 commit into from
Aug 19, 2020

Conversation

@kolyshkin
Copy link
Collaborator

@kolyshkin kolyshkin commented Aug 14, 2020

What type of PR is this?

/kind bug

What this PR does / why we need it:

In case cgroupfs cgroup manager is used, the container got created under
the conmon cgroup (rather than under the root), and then the stats
doesn't work because the cgroup path is invalid.

For example, if the conmon cgroup is created as
/sys/fs/cgroup/pod_123-456/crio-conmon-, then the container cgroup
is created as
/sys/fs/cgroup/pod_123-456/crio-conmon-/pod_123-456/crio-,
rather than sys/fs/cgroup/pod_123-456/crio-conmon-.

The cricrl stats then fails as it can't find the container cgroup.

This happens because the cgroupsPath set in spec for such containers
is not absolute, so the cgroup is created under the current cgroup,
which is that of conmon.

The fix is easy.

Which issue(s) this PR fixes:

Fixes #4075

Special notes for your reviewer:

Found while working on #4064. That PR has a test case (in test/stats.bats) which will check this issue, so there's no test case in here.

Does this PR introduce a user-facing change?

Fix the container cgroup in case cgroupfs cgroup manager is used (#4075)

@kolyshkin
Fix container cgroup under cgroupfs
8cbe377 
In case cgroupfs cgroup manager is used, the container got created under
the conmon cgroup (rather than under the root), and then the stats
doesn't work because the cgroup path is invalid.

For example, if the conmon cgroup is created as
/sys/fs/cgroup/pod_123-456/crio-conmon-<ID>, then the container cgroup
is created as
/sys/fs/cgroup/pod_123-456/crio-conmon-<ID>/pod_123-456/crio-<ID>,
rather than sys/fs/cgroup/pod_123-456/crio-conmon-<ID>.

The `cricrl stats` then fails as it can't find the container cgroup.

This happens because the cgroupsPath set in spec for such containers
is not absolute, so the cgroup is created under the current cgroup,
which is that of conmon.

The fix is easy.

Signed-off-by: Kir Kolyshkin <[email protected]>
@openshift-ci-robot openshift-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Aug 14, 2020
@kolyshkin kolyshkin mentioned this pull request Aug 14, 2020
Merged
@codecov
Copy link

codecov bot commented Aug 14, 2020

Codecov Report

Merging #4080 into master will not change coverage.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #4080   +/-   ##
=======================================
  Coverage   41.17%   41.17%           
=======================================
  Files         109      109           
  Lines        9018     9018           
=======================================
  Hits         3713     3713           
  Misses       4966     4966           
  Partials      339      339

@saschagrunert
Copy link
Member

saschagrunert commented Aug 14, 2020

/retest

saschagrunert
saschagrunert approved these changes Aug 14, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 14, 2020
@giuseppe
Copy link
Member

giuseppe commented Aug 14, 2020

/retest

1 similar comment
@kolyshkin
Copy link
Collaborator Author

kolyshkin commented Aug 17, 2020

/retest

@mrunalp
Copy link
Member

mrunalp commented Aug 17, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 17, 2020
@haircommander
Copy link
Member

haircommander commented Aug 17, 2020

/retest

TomSweeneyRedHat
TomSweeneyRedHat reviewed Aug 17, 2020
View reviewed changes
internal/config/cgmgr/cgroupfs.go
parent = sbParent
}
return filepath.Join(parent, crioPrefix+"-"+containerID)
return filepath.Join("/", parent, crioPrefix+"-"+containerID)
Copy link
Contributor

@TomSweeneyRedHat TomSweeneyRedHat Aug 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDK, but should we be doing a securejoin here?

Copy link
Collaborator Author

@kolyshkin kolyshkin Aug 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so.

  1. This is not an absolute path, but a one relative to /sys/fs/cgroup.
  2. runc/crun [should] do sanity checks.
  3. The only untrusted component here is parent, this is a cgroup of sandbox, which is also created by cri-o.

@haircommander
Copy link
Member

haircommander commented Aug 17, 2020

/retest

2 similar comments
@kolyshkin
Copy link
Collaborator Author

kolyshkin commented Aug 17, 2020

/retest

@haircommander
Copy link
Member

haircommander commented Aug 17, 2020

/retest

@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 17, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kolyshkin, mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mrunalp
Copy link
Member

mrunalp commented Aug 17, 2020

/test e2e-aws

@haircommander
Copy link
Member

haircommander commented Aug 18, 2020

/retest

@mrunalp
Copy link
Member

mrunalp commented Aug 18, 2020

/test e2e-aws

@kolyshkin
Copy link
Collaborator Author

kolyshkin commented Aug 19, 2020

CI is all green now, although tide status was not updated here.

@mrunalp mrunalp merged commit 2d75ee2 into cri-o:master Aug 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp approved these changes

@saschagrunert saschagrunert saschagrunert approved these changes

@runcom runcom Awaiting requested review from runcom

@sameo sameo Awaiting requested review from sameo

@vrothberg vrothberg Awaiting requested review from vrothberg

+1 more reviewer

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mrunalp mrunalp

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cgroupfs: container created with bad cgroup path

7 participants

@kolyshkin @saschagrunert @giuseppe @mrunalp @haircommander @openshift-ci-robot @TomSweeneyRedHat